Security evaluation

Introduction

This is an individual assignment and requires students to conduct a security evaluation of their personal information management situation and report on the results of this evaluation.  The main body of the report is expected to be around 2500 words, but quality is more important than length.  The intention of this review is to give you exposure to some of the issues that organisations might face when conducting similar information security reviews, but clearly with much less formality (both in terms of how the review is conducted and the expectations around the control environment).

As it is not feasible to give you access to a ‘normal’ organisational setting, we will use your personal situation as a simulation for the organisation.  Despite this being similar to an organisational security review, it is important that you treat the situation ‘as is’ – that is you should focus on the risks that are relevant to your situation, not some real or pretend organisation. These risks may not be quite the same to those that organisations experience, but risks do vary significantly between differing organisations, so this will not undermine the integrity of this exercise.

The security evaluation review for this year will focus on some key issues, including access controls, operations security (backup and recovery, protection from malware, updates) and cybersecurity (concerning resilience and protection from cyber-attacks, malware and hacking).

There may be some overlap between these issues.

There will be opportunities for students to informally discuss issues with this assignment and their review during the classes in the weeks leading up to the submission deadline.  Make sure that you are familiar with what is required of this assignment and take advantage of this opportunity.

Requirements

This assignment is intended to cover the full range of your personal situation with respect to information and its management – this will include any technology, insomuch as it relates to information processing and storage.  This includes:

home computers, laptops and home networks; mobile devices that you may have including smart phones, tablets, smart watches, and fitness devices; other storage media that you use to store relevant information; personal information you store online (in the cloud – data storage and email).

For this exercise, you should exclude:

 other home-related devices such as smart TVs, Google/Apple/Amazon smart home devices, and electronic locks;  information about you that is stored by others (for example, the information the University keeps on students is outside of the scope of this review);

 any work-related activity or home businesses (information security issues with these work related contexts would normally be covered by the workplace and their security evaluation processes).

The first step in the review is to identify all of the relevant information assets, any associated technology resources, and what these resources are used for.  It is important for your report to include a description of these assets and their uses so that the reader has a context within which to situate the investigation and its findings.  The nature of these assets and their use will influence the risk environment, so your overview is important for the reader to the make a judgement about the reliability of the review and its findings.

In conducting such a review is common practice to have a normative model against which the situation is assessed.  You should use ISO 27002:2013 as the primary source for constructing a customised normative model for this review, but this should be supplemented by other sources as appropriate (and these other sources should be identified and properly referenced).  Note that it is important that the review extends beyond the simple technical aspects of the situation, so the customised model should account for non-technical aspects as well.  [Details on accessing ISO 27002 can be found in the week 4 tutorial work.]

As noted above, the review for this year should focus on the issues of access controls, operations security (backup and recovery, protection from malware, updates) and cybersecurity (concerning resilience and protection from cyber-attacks, malware and hacking).  These issues should become primary headings in your normative model (it is your responsibility to manage the overlap between these issues), and each of them should contain a number of controls that would then form the basis of the normative model and subsequent evaluation.

The adaption of ISO 27002 (and other sources) for the normative model needed for the evaluation should be guided by risk management principles – that means selecting a set of controls that are likely to be more important in a personal environment and leaving out controls that are not all that relevant.  As a guide for this assignment, it is expected that you would have around 15 to 20 controls in your customised normative model.  These customised controls should have a link back to the sources (such as ISO 27002 – using the control number from the standard), so the reader knows where this element was derived from.  In some cases, the customised control in your normative model may be a direct copy of the control from the standard, and in other cases it may be an adaption from a range of sources (such as those covered in the week 4 lecture and tutorial work).

To illustrate this process of adaption, Section 5 of ISO 27002 covers issues associated with security policy.  For a personal situation, it would be quite unusual to have formalised written security policies in place in relation to the issues of concern to this assignment – so the lack of such written policies would not be a reasonable finding to make in most circumstances.  However, it is quite likely you might have some informal policies in place, such as who you might allow various facilities to be used by, what security software you use, and how and when you backup your data.  This suggests that it could be helpful to have a general control in your adapted evaluation model relating to security policy, but it would be reasonable for this to be kept at a high level (and the used during the evaluation to consider whether your informal policies are adequate for the situation at hand).

After constructing the customised normative model, you should use this to conduct a review of your own personal information security situation and report on the findings and recommendations.  This is usually done by looking at the real situation and comparing this to the issues in the customised normative model.  Where there is alignment between your situation and various controls in the normative model, this suggests the security measures are appropriate and these issues become commendations.  Where there is misalignment, the differences require further investigation and can then become the basis for recommendations for change or improvement.

In conducting the review, you may find it helpful to undertake some tests to verify some of the findings.  As an example, you could physically check backup stores and verify that they keep the most recent copies of the data, as per the backup arrangements that you think might be in place, and that this backup data really is retrievable and easily able to be restored.  You could also use various software tools to verify security elements of the technical environment.

In making the findings and recommendations, you should be guided by the risk environment you are operating in.  For example, you would not make recommendations about implementing a rigorous backup routine if you had little sensitive information to lose – you should suggest a contingency approach that matches this risk profile.  It is important to recognise that an overly stringent security environment is likely to be just as problematic as one with insufficient security measures, as in the longer term, many of these stringent security measures will be ignored or neglected if they are seen as been unnecessary for the risk profile they are meant to be controlling.

And finally, you should reflect on how well this whole process has worked after completing the review.  These reflections would not normally be part of an organisational security evaluation report, but can be seen as bringing some academic rigour to this exercise and may also be part of a high quality professional practice where professionals will reflect on activities they have undertaken.  The use of references will improve the quality of your reflections.

Examples of the questions you may consider in your reflections include:  Has this review produced the intended results?  Is it likely to uncover the main information security issues and make reasonable recommendations for change?  Is a review of this nature worth the effort?  Are there easier ways that could be used to provide reasonable assurance about information security risks?  Has your adaption of the security model provided an adequate coverage of the issues for a personal situation such as the one you are in?  How easy would it be for others (particularly people without a strong IT or security background) to use these materials to assure themselves that they are not exposing themselves to unwarranted information security risks?

Required sections for your report

In summary, your report should include the following (these six dot points could be used as the basis for major headings/sections in your report):

 an overview of your personal situation and the key risks areas that may be present (information, technology, and what these artefacts are used for; what are the key risks that might be evident in these uses of information and technology);

 a brief discussion of the customised normative model that you have used for you review. This section is mainly concerned with how you have constructed this normative model and why you have included the various controls in the model, noting the various sources you have used. This section is more about providing a rationale for why various controls have been included, rather than just providing a simple list of the controls;

 a summary of the tasks undertaken to conduct the review. What steps did you follow in conducting the review?  What evidence did you consider in helping you form your views? What tests did you perform in order to verify the answers to key review questions?  Did you use any automated tools for any of this testing?

 the findings of your review and recommendations for improvement. You should provide a summary of the good and bad issues that arose from the review.  What issues from the situation came up looking good in the review, and where was there room for improvement? What things would you realistically change in order to improve the information security environment?  It is important that this section only presents a summary of the key issues from the review – the details of the evaluation of individual controls should be put in the appendix (the appendix table, with the fourth column detailing the evaluation of each individual control). You should not make recommendations that haven’t appeared anywhere in the appendix table.

 a reflection on the methodology or review approach, following your experience of applying it to your personal computing situation. This is an important part of the assignment and should not be neglected.  There are details above on what should be covered in this section and a

reasonable length for this section is around 500+ words;

 an appendix with the details of your review. The detailed issues considered (customised normative model) and the assessment against these issues should be included in an appendix in a table format (described below).  This material is not part of the main word count for the assignment.  While this appendix is not part of the word count, this will be part of the assessment for the assignment and the marker will need access to this material to ascertain the extent of the nature and quality of the review that you have undertaken.  Without this table, there is little evidence that you have actually conducted an appropriate security evaluation and your assignment will be marked accordingly.

Assessment

The assignment is worth 30% of the marks for Information Security.  The deadline for submissions of this assignment is Sunday night at the end of week 11 (24 April 2022).

The main body of the report is expected to be around 2500 words – please include a word count, but words from any quotations, your bibliography, and the appendix table, should not be included in this word count.  Note that it is not necessary to include an executive summary as this report is sufficiently brief, but a brief introduction setting out what the report covers would be helpful.

In marking the report, attention will be given to your understanding of information security concepts and how well you have met the requirements detailed above.  Style and technique of your writing will also be considered.

The section providing a reflection on the methodology and review approach is an important part of this assignment and will attract around one quarter of the marks allocated.

For the appendix only:  It is quite likely that the material in this appendix will use headings and other material taken directly from the ISO 27002 standard.  So long as you make it clear which parts have been taken from the standard and which parts are your own responses, it is not necessary to put the material from the standard in quotation marks.  For example, a sentence in your appendix (as a lead in, or a footnote) could state that ‘the controls in the left hand column have been derived directly from the ISO 27002 standard unless otherwise noted’, this then avoids the need for quotation marks and in text references for each of these controls.

Submission:  All assignments should be submitted in electronic format (via the Canvas online assignment submission process).  A coversheet is not required (submission to the Canvas drop box is a formal acknowledgement that this is your own work unless otherwise noted), but you should include your student id, assessment item name and the word count.

There is no draft submission box, but you can make multiple submissions to this assignment box and view Ouriginal reports.  Please do NOT submit your assignment to the draft Ouriginal checking processes on another unit’s Canvas site.  This will lead to a very high plagiarism score when you subsequently submit the assignment to this Canvas site and a penalty will be applied to the marking of your assignment in these cases.

A suggested process for this assignment is:

 identify your information assets, associated technology and uses; think briefly about any risks that these uses might entail;  construct your customised normative model, and use this to populate the left-hand column of your appendix table;

 conduct the security evaluation, using the appendix table as a means of documenting the

elements of this review – this should result in a fully populated appendix table;

 write the main body of the assignment, including the description of the information assets, the normative model and its construction, the description of the process you undertook, and key findings and recommendations – these findings and recommendations should connect directly with elements in your appendix table;  write the reflections section of the report.

Sample row for appendix

Note that this is a sample row only – the content of the cells in your review table is likely to be different!  Note that the text in the first column has been taken directly from the ISO 27002 standard, with the control number being a sufficient attribution in this case (there should be a statement on this elsewhere in the appendix as noted above).

It is expected that you will have about 15 to 20 rows of this nature in the appendix of your report.

Control	Current situation; evaluations undertaken	Tests	Recommendations
12.3.1: Backup copies of information, software and system images should be taken and tested regularly in accordance with agreed back-up policy.	There is an informal policy in place for backing up important user data. Laissez-faire approach adopted to implementing back-up policy, but most data is synchronised with cloud storage and backed up reasonably regularly. Current work of significance is backed up frequently after major edits using email and USB drives. Minimal testing of back-up arrangements except when outages/losses are experienced.	Back-up data stores viewed, with timing and frequency of backups considered. Backup data verified that it could be easily restored.	Formally integrate back-up schedule into electronic calendar to ensure more regular compliance with policy. Test back-up repositories from time to time to ensure stored data can be recovered.
	No testing of system image backups due to the logistical difficulties involved.

In some cases, rows like this could be split into multiple rows if you think this is warranted – in this case, you may have two rows – one that considers the taking of backups and a second one concerned with the testing of these backups.

The example above is about backup – the first column is a statement of the control (12.3.1 in this case); the second column is a description of what backup arrangements actually exist in your current situation, making sure you address issues mentioned in the control.  You don’t need to discuss the risks here.

The third column is about any tests that you do as part of this evaluation.  Not all controls (rows in your table) will need tests.  It is also important to distinguish between the testing that you do as a regular part of your normal operational activities, and the tests that you do for this evaluation.  For example, if you normally test your backups on a regular basis (perhaps to see that they will actually work, which is something that organisations should be doing fairly regularly), then this is something that should be noted in the second column.  But if you have specifically tested a backup as part of this evaluation process, then this is something that would be noted in the third column, along with a description of the test results.

The fourth column is used to note findings and recommendations with respect to that control.  If everything is good, you should note that.  I expect this will be the case for some (perhaps many) of the controls.  Where there are differences between what you are doing yourself and what the control indicates you should be doing, then these are findings, and also the basis for recommendations – that is, things you can change to bring your practices more in line with the control.  Some judgement may be needed around these recommendations.

All of this does have a risk element to it.  For example, things like the essential eight recommend daily backups.  From a personal perspective, this might be much more than is needed, except when you are working on something quite critical (like this assignment) where more frequent backups would be very helpful due to the amount of work that might be lost if something went wrong.  This could mean that from a risk perspective, personal backup arrangements that were not daily could still be acceptable, so long as they were ramped up when more critical work was being done.

You don’t need a lot of discussion about this risk context in the appendix table, although the recommendations you make in the table should take some account of it.  Where there are significant discrepancies between the recommendations you actually make (based on this risk context and what would be reasonable) and what the control indicates should be happening, then these could have a brief discussion in the findings section of the report.

References

ISO (2013) ISO/IEC 27002:2013 Information technology – Security techniques – Code of practice for information security controls, International Standards Organisation, Switzerland.

Get expert help for Security evaluation and many more. 24X7 help, plag free solution. Order online now!